McAfee® Host Intrusion Prevention 6.1 Product Guide

Maintenance

 

Setting up notifications for events

8

Host Intrusion Prevention notifications

Host Intrusion Prevention supports the following product-specific notification categories:

„Host Intrusion detected and handled

„Network Intrusion detected and handled

„Application blocked

„Computer placed in quarantine mode

Notifications can be configured only for all or none of the Host (or Network) IPS signatures. Entercept 5.x supported notifications based on sets of signature IDs or individual severity levels. Host Intrusion Prevention supports the specification of a single IPS signature ID as the Threat Name or Rule Name field in the notification rule configuration. By internally mapping the signature ID attribute of an event to the threat name, a rule is created to uniquely identify an IPS signature.

The specific mappings of Host Intrusion Prevention parameters allowed in the subject/body of a message include:

Parameters

Host and Network

Blocked

Quarantine

 

IPS Events Values

Application Event

Event Values

 

 

Values

 

 

 

 

 

ReceivedThreatNames

SignatureID

none

none

 

 

 

 

SourceComputers

Remote IP address

computer name

computer name

 

 

 

 

AffectedObjects

Process Name

Application name

IP address of

 

 

 

computer

 

 

 

 

EventTimestamp

Incident time

Incident time

Incident time

 

 

 

 

EventID

ePO mapping of

ePO mapping of event

ePO mapping of

 

event ID

ID

event ID

 

 

 

 

AdditionalInformation

Localized Signature

Application full path

none

 

Name (from client

 

 

 

computer)

 

 

 

 

 

 

124

Page 124
Image 124
McAfee 6.1 manual Host Intrusion Prevention notifications, 124